Hide N Seek is back with a vengeance, adding two new exploits to its menacing family of malware. See how Palo Alto Networks customers are protected. Be sure you're protected, and track the malware family, too. Got Questions? Get Answers here on LIVEcommunity.

Executive Summary

The Hide ‘N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.

Since its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).

Unit 42 shares the latest on Hide N Seek botnet.

This post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits: CVE-2018-20062, which targets ThinkPHP installations, and CVE-2019-7238, a Remote Code Execution (RCE) vulnerability in Sonatype Nexus Repository Manager (NXRM) 3 software installations.

While the ThinkPHP exploit has already been seen employed by several Mirai variants, the only other instance of the CVE-2019-7238 vulnerability being exploited in the wild has been by the DDG botnet. Our research, outlined below, shows that the Hide ‘N Seek botnet incorporated this exploit back in February 2019, even before the DDG botnet.